the unofficial HackerOne disclosure timeline.

X
b'curl' disclosed a bug submitted by b'alphalaab' 
b'curl External-Controlled Filename in `--url @file` Leads to Arbitrary File Overwrite'
07 Jun 2026 timeline
b'Nextcloud' disclosed a bug submitted by b'pirikara' 
b'Valid share tokens allow to access tempory upload files of share owner'
07 Jun 2026 timeline
b'Nextcloud' disclosed a bug submitted by b'priyanka010' 
b'Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC'
07 Jun 2026 timeline
b'Nextcloud' disclosed a bug submitted by b'alper_ozturk' 
b'PIN bypass in PassCodeActivity via back button'
07 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'argus-systems' 
b'GnuTLS OCSP stapling accepts unrelated SingleResponse (no cert-ID binding)'
05 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'bagder' 
b"CURLOPT_PROXY_CRLFILE / CURLOPT_PROXY_ISSUERCERT / CURLOPT_PROXY_ISSUERCERT_BLOB silently ignored on backends that don't support them"
05 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'bagder' 
b'Shared HSTS cache accessed without lock'
05 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'hamaowo' 
b'RTSP Digest auth state leaks across origins on reused libcurl easy handle'
05 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'bowen111' 
b'TFTP upload ignores --continue-at / CURLOPT_RESUME_FROM and leaks skipped local file prefix'
05 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'skksndk' 
b'libcurl 8.20.0 ignores HTTP Digest domain protection space and preemptively leaks Digest auth outside the declared scope'
05 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'azraelxuemo' 
b'CURLOPT_COOKIE leaked to cross-origin redirect target CURLOPT_UNRESTRICTED_AUTH bypass for the STRING_COOKIE path'
05 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'darky_os' 
b'Missing access control when linking banners or campaigns to zones '
03 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'darky_os' 
b'Missing access control when linking trackers to campaigns'
03 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'titanrain' 
b'Blind SQL injection via clientid parameter in zoneinclude.php'
03 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'titanrain' 
b'Reflected XSS via clientid parameter in zoneinclude.php'
03 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'0x4c616e' 
b'PHP code injection via delivery limitation logical '
03 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'3l4' 
b'Stored XSS via Full Name field in userlog email entries'
03 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'0x4c616e' 
b'Session ID reuse allowing XMLRPC API authentication bypass'
03 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'3l4' 
b'Missing access control when modifying parent entities via XMLRPC'
03 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'v3rtical' 
b'Banner status override by advertiserlevel users'
03 Jun 2026 timeline
1 ... 3 4 5 6 7 ... 768
Follow @disclosedh1 on twitter to receive updates when a new bug is disclosed!
Twitter
BY DENIS WERNER - @NOBBD - IMPRESSUM